Information About Medeco High Security Lock Issues
Medeco locks are currently used in over 75% of the US high security market, with few users knowing that they may want to avoid Medeco locks. While worldwide their high security market share is much lower, in the US they still are the predominant high security lock. Unfortunately over the past few years, several vulnerabilities
of this system have come into light. While the system certainly offers
more protection over a standard pin tumbler lock, in the
price range of Medeco locks there are far better security
solutions. Keep in mind that most of the vulnerabilities listed here apply to standard Medeco Biaxial and M3 locks (like deadbolts, and padlocks) and not to their line of cam locks, which utilize a different mechanism and still appear to offer a decent level of security (as long as they are not overly master keyed, and some key duplication issues still exist).
All Medeco locks that were factory keyed in the second half of 2011 or later have all the revised hardware. This eliminates the major vulnerabilities in most Medeco locks and as long as customers ensure factory keyed locks with a date after this they can be sure to get locks with all the fixes described on our Fixes
page (please see the update on the Fixes page for full details).
Our Primary Problems with Medeco(Back during 2010)
Below is a quick summary of our major issues with Medeco currently, this site goes into details with some of our concerns with their product and everything should be read, and if possible, you should do your own research before taking any action.
- Locks coming off the factory line right now do not contain all of the fixes from Medeco, and customers even buying direct from the factory have no way of telling how fixed their locks are.
- Medeco locks(including old inventory/parts that some Medeco locksmiths currently sell) older than Late 2006 / 2007 have several major exploits with them, and most customers are not aware of these exploits in any way. Some of these expolits can result is very quick compromise of Medeco systems. Many more recent Medeco locks also have some of the same issues.
- Medeco key-control of virtually all the M3 (latest generation) and some biaxial keys has been severely compromised allowing for somewhat easy key duplication without large technical skill.
- Customers using Medeco Logic systems could be especially vulnerable as the system has been compromised several different ways.
The two primary pioneers in the forefront of
bringing Medeco vulnerabilities to the public eye are Marc Tobias and
Tobias Bluzmanis of Security.org
many years now, they have worked countless hours on analyzing and breaking
down the Medeco lock and its vulnerabilities. They have tried to work with Medeco from the beginning to keep them informed of what they have found and get the locks fixed, but unfortunately, Medeco doesn't appear to have responded in a constructive manner. For details on the many ways Medeco has been compromised, we suggest picking up the book Open in 30 Seconds by Marc Tobias and Tobias Bluzmanis which covers much of what they found and goes into more detail on what we discuss below. The Security.org team discovered 3 primary problems with all of Medeco's latest locks: 1) Their codebooks used by locksmiths to cut keys had a flaw allowing all sidebar combinations to be mapped to only four keys 2) Once the pin rotations have been set they can be kept in position during picking or insertion of another key by applying tension to the sidebar 3) The Medeco M3 and some of the Biaxial keyways are wide enough for unauthorized key blanks to be used. In 2009 Marc Tobias and Tobias Bluzmanis announced they were able to completely compromise the Medeco electronic system, Medeco Logic. They were able to completely bypass the electronic side of the system and the audit log with a few simple tricks.
One major problem with Medeco locks is the fact that given the proper rotation of the pins, it is possible to lock the rotations in place so that it is degraded to the state of being like a normal pin tumbler lock. This problem is combined with some of the Security.org team's other discoveries to make much more dangerous attacks. Now getting the current rotations is not simple, it requires having a key(or information about a key) of the system or the use of one of the combined sibebar keys(talked about below). This method works due to the fact that when rotational pressure is applied to the lock, the sidebar fingers will lock the pin rotations in place. This can be done using a set key, or even a normal key to the system. For example a low level key(like the key used for the bathroom could be inserted into a higher level lock (like say a storeroom) and then while applying pressure remove the key. The pressure will keep the pin rotations in place, and allow the lock to be attacked.
One of the largest
vulnerabilities that they discovered is often referred to as "The Four Keys to the Kingdom". It can be combined with the previous vulnerability to easily attack many Medeco locks. They discovered that with a combination of four
different keys, virtually all factory pinned Medeco locks manufactured
prior to December 2007 can have their security reduced essentially to
the same level as standard pin tumbler locks (making it possible to bump
or pick them). In December of 2007, Medeco quietly released new code
books to a select number of their dealers in order to cut keys that then
require the use of 16 different keys to exploit the vulnerability rather
than just four keys. Medeco did release a special type of pin called ARX
pins that are supposed to make it harder to bypass their locks using
certain specialized tools, but these pins can be difficult to obtain
from Medeco if you wish to upgrade existing Medeco locks. Unfortunately, while these pins can make certain attacks against their lock harder, they are far from a complete solution. We haven't seen any indication that Medeco has informed their dealers of the vulnerabilities in their locks or the reason for the new code books which became available in December 2007.
other major problem with Medeco's latest M3 lock and some BiLock locks
has to do with the keyway itself. Security requirements dictate that
security locks provide warding that makes it impossible for a straight
piece of metal (or another substance) to enter the keyway. This ensures
that keys cannot be duplicated onto non-factory blanks without great
effort. Unfortunately, virtually all of the M3 (which had its keyway
widened) and several Biaxial keyways are actually wide enough a piece of
metal can easily fit in the keyway. You can even cut Medeco's angled cuts onto this. Marc Tobias and Tobias Bluzmanis have been able to actually duplicate Medeco keys onto more than just metal, including cutting up any common credit card into a working Medeco key. This is a large problem as it means there is very little key control for Medeco keys. Anyone who has access to a key could possibly duplicate that key into something else and give you the key back, and you would never know.
There are other attacks against Medeco locks in
addition to the ones listed above including vulnerabilities in many of
their deadbolts prior to 2006 (for which Medeco released two "fixes"
after they were informed by the Security.org team). For more details, we
strongly recommend their book. It appears that at this time, many of the attacks they outline in the book have still not been addressed by Medeco despite having now had a great deal of time to do so. Unfortunately, it seems Medeco has not even kept their own dealers informed and seem to be misleading the media about their vulnerabilities. Due to this situation and Medeco's response, we strongly recommend against their use in any area requiring a high security lock. Once again, this applies only to their standard locks and not their cam locks, which use a different mechanism and do not seem prone to the same vulnerabilities.
In 2009 the Security.org team went public with the fact they were able to completely bypass the Medeco Logic system. This system was an electromechanical system that had both an electronic component and a mechanical component to the key. It allowed auditing lock use, locking out keys that had been lost, and several other features through the electronic side of things. The exploits found allowed for very easy bypassing of the electronic requirement, not just can unauthorized electronic keys be used without generating an audit trail but purely mechanical keys could be used in locks thar were supposed to require electronic counterparts. This effectively makes the Logic system useless, and possibly leads to additional compromise in the system as any masterkeying or lost key enforcement through the Logic system would not work with their bypasses.